fail2ban configuration in Fedora/RHEL

The configuration files in Fedora20 for fail2ban are located in the /etc directory under /etc/fail2ban/
with further sub-directories for actions, filters and jails.

drwxr-xr-x.   2 root 4.0K May 16  2014 action.d
drwxr-xr-x.   2 root 4.0K Mar 19  2014 fail2ban.d
drwxr-xr-x.   2 root 4.0K May 16  2014 filter.d
drwxr-xr-x.   2 root 4.0K Mar 19  2014 jail.d
-rw-r--r--.   1 root 2.1K Mar 14  2014 fail2ban.conf
-rw-r--r--.   1 root   33 Dec 10 00:16 fail2ban.local
-rw-r--r--.   1 root  14K Dec 10 01:06 jail.conf
-rw-r--r--.   1 root  16K Dec 10 00:54 jail.conf.rpmnew
-rw-r--r--.   1 root  805 Dec 10 07:48 jail.local
-rw-r--r--.   1 root 1.5K Mar 14  2014 paths-common.conf
-rw-r--r--.   1 root  606 Mar 14  2014 paths-debian.conf
-rw-r--r--.   1 root  649 Mar 14  2014 paths-fedora.conf
-rw-r--r--.   1 root 1.2K Mar 14  2014 paths-freebsd.conf
-rw-r--r--.   1 root  290 Mar 14  2014 paths-osx.conf

NOTE: In order to preserve your edits and customizations you should create separate *.local files, as the normal *.conf files (may) get overwritten during an upgrade. The *.local files take precedence over the *.conf files as the former are parsed after the latter. In *.local files specify only the settings you would like to change and the rest of the configuration will then come from the corresponding *.conf file which is parsed first.

sendmail Notifications

If you’d like to be notified every time fail2ban blocks an ipaddress from ssh access, for example, edit/create the /etc/fail2ban/jail.local file and append the following lines:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 5

Since the [ssh-iptables] section wasn’t included in the jail.conf file by default (on my system, at least), I’ve added the entire section to the jail.local file; whereas, if it had been, I would’ve only added the lines I’d want to change.
All entries are separated by sections/headers enclosed in square brackets; the lines that follow then are applicable for that section until the next [section name].

enabled = true
“enabled” enables the jails.
By default all jails are disabled, and it should stay this way. Enable only those jails relevant to your setup in your .local or jail.d/*.conf files.

  • true: jail will be enabled and log files will get monitored for changes
  • false: jail is not enabled

filter = sshd

refers to the .conf file in /etc/fail2ban/filter.d/, which contains the rules (regex expressions, etc) that fail2ban uses to find matches in the log files.

action =

Each jail can be configured with only a single filter, but may have multiple actions. For those name items (e.g. action) that can accept multiple values (e.g. iptables, sendmail), specify the values separated by spaces, or in separate lines space-indented at the beginning of the line before the second value; therefore, mind the tabs at the beginning of the “sendmail…” line.

action = iptables[...]
         sendmail-whois[..]

By default, the name of an action is the action filename in /etc/fail2ban/action.d/, and in the case of Python actions, the “.py” file extension is stripped. The action option refers to the steps that fail2ban will take to e.g. ban an IP address matching the options in the specified filter.

iptables[name=SSH, port=ssh, protocol=tcp]

name=, port=, and protocol= are the options in the /etc/fail2ban/action.d/iptables.conf file that you’d like to change or specify. Action files have two sections, Definition and Init. The “Init” section enables action-specific settings which can be overridden for a particular jail as options of the action’s specification in that jail.



firewalld

With the recent versions of Fedora and RHEL the default firewall program is firewalld. The Fedora Wiki has some useful configuration options listed for fail2ban with firewalld, such as changing the default default banaction to firewallcmd-ipset. Simply add the following to the beginning of the DEFAULT section in your jail.local file:

banaction = firewallcmd-ipset
There are also configuration files in the action.d subdirectory for firewallcmd-ipset.conf and firewallcmd-new.conf. Additional info can be viewed and trucked in this bug-report.

Popular posts from this blog

Password Policy in RHEL 7

Centos 7 pulseaudio

wpa_supplicant and wifi in RHEL 7